| version 1.12, 1996/11/23 19:10:43 |
version 1.13, 1996/11/30 17:50:58 |
|
|
| #!/bin/sh - |
#!/bin/sh - |
| # |
# |
| # $OpenBSD$ |
# $OpenBSD$ |
| |
# from: @(#)security 8.1 (Berkeley) 6/9/93 |
| # |
# |
| |
|
| PATH=/sbin:/usr/sbin:/bin:/usr/bin |
PATH=/sbin:/usr/sbin:/bin:/usr/bin |
| |
|
| umask 077 |
umask 077 |
|
|
| LIST=$DIR/_secure5 |
LIST=$DIR/_secure5 |
| OUTPUT=$DIR/_secure6 |
OUTPUT=$DIR/_secure6 |
| |
|
| |
|
| if ! mkdir $DIR ; then |
if ! mkdir $DIR ; then |
| printf "tmp directory %s already exists, looks like:\n" $DIR |
printf "tmp directory %s already exists, looks like:\n" $DIR |
| ls -alF $DIR |
ls -alF $DIR |
|
|
| if ($1 ~ /^[+-].*$/) |
if ($1 ~ /^[+-].*$/) |
| next; |
next; |
| if ($1 == "") |
if ($1 == "") |
| printf("Line %d has an empty login field.\n",NR); |
printf("Line %d has an empty login field.\n", NR); |
| else if ($1 !~ /^[A-Za-z0-9][A-Za-z0-9_-]*$/) |
else if ($1 !~ /^[A-Za-z0-9][A-Za-z0-9_-]*$/) |
| printf("Login %s has non-alphanumeric characters.\n", $1); |
printf("Login %s has non-alphanumeric characters.\n", $1); |
| if (length($1) > 8) |
if (length($1) > 8) |
|
|
| next; |
next; |
| if (NF != 4) |
if (NF != 4) |
| printf("Line %d has the wrong number of fields.\n", NR); |
printf("Line %d has the wrong number of fields.\n", NR); |
| if ($1 !~ /^[A-za-z0-9]*$/) |
if ($1 !~ /^[A-za-z0-9][A-za-z0-9_-]*$/) |
| printf("Group %s has non-alphanumeric characters.\n", $1); |
printf("Group %s has non-alphanumeric characters.\n", $1); |
| if (length($1) > 8) |
if (length($1) > 8) |
| printf("Group %s has more than 8 characters.\n", $1); |
printf("Group %s has more than 8 characters.\n", $1); |
|
|
| done |
done |
| if [ $umaskset = "no" -o -s $OUTPUT ] ; then |
if [ $umaskset = "no" -o -s $OUTPUT ] ; then |
| printf "\nChecking root csh paths, umask values:\n$list\n" |
printf "\nChecking root csh paths, umask values:\n$list\n" |
| if [ -s $OUTPUT ]; then |
if [ -s $OUTPUT ] ; then |
| cat $OUTPUT |
cat $OUTPUT |
| fi |
fi |
| if [ $umaskset = "no" ] ; then |
if [ $umaskset = "no" ] ; then |
|
|
| done |
done |
| if [ $umaskset = "no" -o -s $OUTPUT ] ; then |
if [ $umaskset = "no" -o -s $OUTPUT ] ; then |
| printf "\nChecking root sh paths, umask values:\n$list\n" |
printf "\nChecking root sh paths, umask values:\n$list\n" |
| if [ -s $OUTPUT ]; then |
if [ -s $OUTPUT ] ; then |
| cat $OUTPUT |
cat $OUTPUT |
| fi |
fi |
| if [ $umaskset = "no" ] ; then |
if [ $umaskset = "no" ] ; then |
|
|
| for f in $list ; do |
for f in $list ; do |
| if [ -s $f ] ; then |
if [ -s $f ] ; then |
| awk '{ |
awk '{ |
| if ($0 ~ /^\+@.*$/ ) |
if ($0 ~ /^\+@.*$/) |
| next; |
next; |
| if ($0 ~ /^\+.*$/ ) |
if ($0 ~ /^\+.*$/) |
| printf("\nPlus sign in %s file.\n", FILENAME); |
printf("\nPlus sign in %s file.\n", FILENAME); |
| }' $f |
}' $f |
| fi |
fi |
| done |
done |
| |
|
| # Check for special users with .rhosts/.shosts files. Only root should |
# Check for special users with .rhosts/.shosts files. Only root |
| # have .rhosts/.shosts files. Also, .rhosts/.shosts files |
# should have .rhosts/.shosts files. Also, .rhosts/.shosts |
| # should not have plus signs. |
# files should not have plus signs. |
| awk -F: '$1 != "root" && $1 !~ /^[+-].*$/ && \ |
awk -F: '$1 != "root" && $1 !~ /^[+-].*$/ && \ |
| ($3 < 100 || $1 == "ftp" || $1 == "uucp") \ |
($3 < 100 || $1 == "ftp" || $1 == "uucp") \ |
| { print $1 " " $6 }' /etc/passwd | |
{ print $1 " " $6 }' /etc/passwd | |
|
|
| awk -F: '{ print $1 " " $6 }' /etc/passwd | \ |
awk -F: '{ print $1 " " $6 }' /etc/passwd | \ |
| while read uid homedir; do |
while read uid homedir; do |
| for j in .rhosts .shosts; do |
for j in .rhosts .shosts; do |
| if [ -f ${homedir}/$j ] ; then |
if [ -s ${homedir}/$j ] ; then |
| awk '{ |
awk '{ |
| if ($0 ~ /^+@.*$/ ) |
if ($0 ~ /^+@.*$/ ) |
| next; |
next; |
| if ($0 ~ /^\+[ ]*$/ ) |
if ($0 ~ /^\+[ ]*$/ ) |
| printf("%s has + sign in it.\n", |
printf("%s has + sign in it.\n", |
| FILENAME); |
FILENAME); |
| }' ${homedir}/$j |
}' ${homedir}/$j |
| fi |
fi |
| done |
done |
|
|
| |
|
| # Check home directories. Directories should not be owned by someone else |
# Check home directories. Directories should not be owned by someone else |
| # or writeable. |
# or writeable. |
| awk -F: '{ if ( $1 !~ /^[+-].*$/ ) print $1 " " $6 }' /etc/passwd | \ |
awk -F: '{ if ($1 !~ /^[+-].*$/) print $1 " " $6 }' /etc/passwd | \ |
| while read uid homedir; do |
while read uid homedir; do |
| if [ -d ${homedir}/ ] ; then |
if [ -d ${homedir}/ ] ; then |
| file=`ls -ldgT ${homedir}` |
file=`ls -ldgT ${homedir}` |
|
|
| done | |
done | |
| awk '$1 != $5 && $5 != "root" \ |
awk '$1 != $5 && $5 != "root" \ |
| { print "user " $1 " " $2 " file is owned by " $5 } |
{ print "user " $1 " " $2 " file is owned by " $5 } |
| |
$3 ~ /^-...r/ \ |
| |
{ print "user " $1 " " $2 " file is group readable" } |
| $3 ~ /^-......r/ \ |
$3 ~ /^-......r/ \ |
| { print "user " $1 " " $2 " file is other readable" } |
{ print "user " $1 " " $2 " file is other readable" } |
| $3 ~ /^-....w/ \ |
$3 ~ /^-....w/ \ |
|
|
| cat $OUTPUT |
cat $OUTPUT |
| fi |
fi |
| |
|
| if [ -f /etc/exports ]; then |
# File systems should not be globally exported. |
| # File systems should not be globally exported. |
if [ -s /etc/exports ] ; then |
| awk '{ |
awk '{ |
| if ($1 ~ /^#/) |
if ($1 ~ /^#/) |
| next; |
|
| readonly = 0; |
|
| for (i = 2; i <= NF; ++i) { |
|
| if ($i ~ /-ro/) |
|
| readonly = 1; |
|
| else if ($i !~ /^-/) |
|
| next; |
next; |
| } |
readonly = 0; |
| if (readonly) |
for (i = 2; i <= NF; ++i) { |
| print "File system " $1 " globally exported, read-only." |
if ($i ~ /-ro/) |
| else |
readonly = 1; |
| print "File system " $1 " globally exported, read-write." |
else if ($i !~ /^-/) |
| }' < /etc/exports > $OUTPUT |
next; |
| if [ -s $OUTPUT ] ; then |
} |
| printf "\nChecking for globally exported file systems.\n" |
if (readonly) |
| cat $OUTPUT |
print "File system " $1 " globally exported, read-only." |
| fi |
else |
| |
print "File system " $1 " globally exported, read-write." |
| |
}' < /etc/exports > $OUTPUT |
| |
if [ -s $OUTPUT ] ; then |
| |
printf "\nChecking for globally exported file systems.\n" |
| |
cat $OUTPUT |
| |
fi |
| fi |
fi |
| |
|
| # Display any changes in setuid/setgid files and devices. |
# Display any changes in setuid/setgid files and devices. |
| pending="\nChecking setuid/setgid files and devices:\n" |
pending="\nChecking setuid/setgid files and devices:\n" |
| (find / \( ! -fstype local -o -fstype fdesc -o -fstype kernfs \ |
(find / \( ! -fstype local -o -fstype fdesc -o -fstype kernfs \ |
| -o -fstype procfs \) -a -prune -o \ |
-o -fstype procfs \) -a -prune -o \ |
| -type f -a \( -perm -u+s -o -perm -g+s \) -ls -o \ |
-type f -a \( -perm -u+s -o -perm -g+s \) -print0 -o \ |
| ! -type d -a ! -type f -a ! -type l -a ! -type s -ls | \ |
! -type d -a ! -type f -a ! -type l -a ! -type s -print0 | \ |
| sort > $LIST) 2> $OUTPUT |
xargs -0 ls -ldgT | sort +9 > $LIST) 2> $OUTPUT |
| |
|
| # Display any errors that occurred during system file walk. |
# Display any errors that occurred during system file walk. |
| if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
|
|
| fi |
fi |
| |
|
| # Display any changes in the setuid/setgid file list. |
# Display any changes in the setuid/setgid file list. |
| egrep -v '^ *[0-9]+ +[0-9]+ +[bc]' $LIST > $TMP1 |
egrep -v '^[bc]' $LIST > $TMP1 |
| if [ -s $TMP1 ] ; then |
if [ -s $TMP1 ] ; then |
| # Check to make sure uudecode isn't setuid. |
# Check to make sure uudecode isn't setuid. |
| if grep -w uudecode $TMP1 > /dev/null ; then |
if grep -w uudecode $TMP1 > /dev/null ; then |
|
|
| : |
: |
| else |
else |
| > $TMP2 |
> $TMP2 |
| join -112 -212 -v2 $CUR $TMP1 > $OUTPUT |
join -110 -210 -v2 $CUR $TMP1 > $OUTPUT |
| if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
| printf "${pending}Setuid additions:\n" |
printf "${pending}Setuid additions:\n" |
| pending= |
pending= |
|
|
| printf "\n" |
printf "\n" |
| fi |
fi |
| |
|
| join -112 -212 -v1 $CUR $TMP1 > $OUTPUT |
join -110 -210 -v1 $CUR $TMP1 > $OUTPUT |
| if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
| printf "${pending}Setuid deletions:\n" |
printf "${pending}Setuid deletions:\n" |
| pending= |
pending= |
|
|
| printf "\n" |
printf "\n" |
| fi |
fi |
| |
|
| sort +11 $TMP2 $CUR $TMP1 | \ |
sort +9 $TMP2 $CUR $TMP1 | \ |
| sed -e 's/[ ][ ]*/ /g' | uniq -u > $OUTPUT |
sed -e 's/[ ][ ]*/ /g' | uniq -u > $OUTPUT |
| if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
| printf "${pending}Setuid changes:\n" |
printf "${pending}Setuid changes:\n" |
|
|
| # Check for block and character disk devices that are readable or writeable |
# Check for block and character disk devices that are readable or writeable |
| # or not owned by root.operator. |
# or not owned by root.operator. |
| >$TMP1 |
>$TMP1 |
| DISKLIST="dk fd hd hk hp jb kra ra rb rd rl rx xd rz sd up wd vnd ccd" |
DISKLIST="ccd dk fd hd hk hp jb kra ra rb rd rl rx rz sd up vnd wd xd" |
| for i in $DISKLIST; do |
for i in $DISKLIST; do |
| egrep "^b.*/${i}[0-9][0-9]*[a-p]$" $LIST >> $TMP1 |
egrep "^b.*/${i}[0-9][0-9]*[a-p]$" $LIST >> $TMP1 |
| egrep "^c.*/r${i}[0-9][0-9]*[a-p]$" $LIST >> $TMP1 |
egrep "^c.*/r${i}[0-9][0-9]*[a-p]$" $LIST >> $TMP1 |
|
|
| # the hacker can modify the tree specification to match the replaced binary. |
# the hacker can modify the tree specification to match the replaced binary. |
| # For details on really protecting yourself against modified binaries, see |
# For details on really protecting yourself against modified binaries, see |
| # the mtree(8) manual page. |
# the mtree(8) manual page. |
| if [ -d /etc/mtree ]; then |
if [ -d /etc/mtree ] ; then |
| cd /etc/mtree |
cd /etc/mtree |
| mtree -e -p / -f /etc/mtree/special > $OUTPUT |
mtree -e -p / -f /etc/mtree/special > $OUTPUT |
| if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
|
|
| [ $file = '*.secure' ] && continue |
[ $file = '*.secure' ] && continue |
| tree=`sed -n -e '3s/.* //p' -e 3q $file` |
tree=`sed -n -e '3s/.* //p' -e 3q $file` |
| mtree -f $file -p $tree > $TMP1 |
mtree -f $file -p $tree > $TMP1 |
| if [ -s $TMP1 ]; then |
if [ -s $TMP1 ] ; then |
| printf "\nChecking $tree:\n" >> $OUTPUT |
printf "\nChecking $tree:\n" >> $OUTPUT |
| cat $TMP1 >> $OUTPUT |
cat $TMP1 >> $OUTPUT |
| fi |
fi |
|
|
| for file in `cat /etc/changelist`; do |
for file in `cat /etc/changelist`; do |
| CUR=/var/backups/`basename $file`.current |
CUR=/var/backups/`basename $file`.current |
| BACK=/var/backups/`basename $file`.backup |
BACK=/var/backups/`basename $file`.backup |
| if [ -s $file ]; then |
if [ -s $file ] ; then |
| if [ -s $CUR ] ; then |
if [ -s $CUR ] ; then |
| diff $CUR $file > $OUTPUT |
diff $CUR $file > $OUTPUT |
| if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
![[BACK]](/icons/back.gif){kind=icon}
Return to security CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / etc